Compare commits
6 Commits
0.26.0
...
update-def
| Author | SHA1 | Date | |
|---|---|---|---|
|
872edd45a5 | ||
|
|
fc1500abdc | ||
|
|
915b19bbe7 | ||
|
|
5681af892c | ||
|
|
807896715e | ||
|
|
0fa0cdb177 |
133
README.md
133
README.md
@@ -14,6 +14,7 @@
|
||||
* [Scan CI Pipeline](#scan-ci-pipeline)
|
||||
* [Scan CI Pipeline (w/ Trivy Config)](#scan-ci-pipeline-w-trivy-config)
|
||||
* [Cache](#cache)
|
||||
* [Trivy Setup](#trivy-setup)
|
||||
* [Scanning a Tarball](#scanning-a-tarball)
|
||||
* [Using Trivy with GitHub Code Scanning](#using-trivy-with-github-code-scanning)
|
||||
* [Using Trivy to scan your Git repo](#using-trivy-to-scan-your-git-repo)
|
||||
@@ -48,7 +49,7 @@ jobs:
|
||||
- name: Build an image from Dockerfile
|
||||
run: docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
|
||||
- name: Run Trivy vulnerability scanner
|
||||
uses: aquasecurity/trivy-action@0.20.0
|
||||
uses: aquasecurity/trivy-action@0.28.0
|
||||
with:
|
||||
image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
|
||||
format: 'table'
|
||||
@@ -76,7 +77,7 @@ jobs:
|
||||
uses: actions/checkout@v4
|
||||
|
||||
- name: Run Trivy vulnerability scanner in fs mode
|
||||
uses: aquasecurity/trivy-action@0.20.0
|
||||
uses: aquasecurity/trivy-action@0.28.0
|
||||
with:
|
||||
scan-type: 'fs'
|
||||
scan-ref: '.'
|
||||
@@ -117,7 +118,7 @@ If you want to disable caching, set the `cache` input to `false`, but we recomme
|
||||
|
||||
```yaml
|
||||
- name: Run Trivy scanner without cache
|
||||
uses: aquasecurity/trivy-action@0.20.0
|
||||
uses: aquasecurity/trivy-action@0.28.0
|
||||
with:
|
||||
scan-type: 'fs'
|
||||
scan-ref: '.'
|
||||
@@ -175,7 +176,7 @@ When running a scan, set the environment variables `TRIVY_SKIP_DB_UPDATE` and `T
|
||||
|
||||
```yaml
|
||||
- name: Run Trivy scanner without downloading DBs
|
||||
uses: aquasecurity/trivy-action@0.20.0
|
||||
uses: aquasecurity/trivy-action@0.28.0
|
||||
with:
|
||||
scan-type: 'image'
|
||||
scan-ref: 'myimage'
|
||||
@@ -184,6 +185,97 @@ When running a scan, set the environment variables `TRIVY_SKIP_DB_UPDATE` and `T
|
||||
TRIVY_SKIP_JAVA_DB_UPDATE: true
|
||||
```
|
||||
|
||||
### Trivy Setup
|
||||
By default the action calls [`aquasecurity/setup-trivy`](https://github.com/aquasecurity/setup-trivy) as the first step
|
||||
which installs the `trivy` version specified by the `version` input. If you have already installed `trivy` by other
|
||||
means, e.g. calling `aquasecurity/setup-trivy` directly, or are invoking this action multiple times then you can use the
|
||||
`skip-setup-trivy` input to disable this step.
|
||||
|
||||
#### Setting up Trivy Manually
|
||||
```yaml
|
||||
name: build
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- main
|
||||
pull_request:
|
||||
jobs:
|
||||
build:
|
||||
name: Build
|
||||
runs-on: ubuntu-20.04
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v4
|
||||
|
||||
- name: Manual Trivy Setup
|
||||
uses: aquasecurity/setup-trivy@v0.2.0
|
||||
with:
|
||||
cache: true
|
||||
version: v0.56.1
|
||||
|
||||
- name: Run Trivy vulnerability scanner in repo mode
|
||||
uses: aquasecurity/trivy-action@master
|
||||
with:
|
||||
scan-type: 'fs'
|
||||
ignore-unfixed: true
|
||||
format: 'sarif'
|
||||
output: 'trivy-results.sarif'
|
||||
severity: 'CRITICAL'
|
||||
skip-setup-trivy: true
|
||||
```
|
||||
|
||||
#### Skipping Setup when Calling Trivy Action multiple times
|
||||
Another common use case is when a build calls this action multiple times, in this case we can set `skip-setup-trivy` to
|
||||
`true` on subsequent invocations e.g.
|
||||
|
||||
```yaml
|
||||
name: build
|
||||
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- main
|
||||
pull_request:
|
||||
|
||||
jobs:
|
||||
test:
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
contents: read
|
||||
steps:
|
||||
- name: Check out Git repository
|
||||
uses: actions/checkout@v4
|
||||
|
||||
# The first call to the action will invoke setup-trivy and install trivy
|
||||
- name: Generate Trivy Vulnerability Report
|
||||
uses: aquasecurity/trivy-action@master
|
||||
with:
|
||||
scan-type: "fs"
|
||||
output: trivy-report.json
|
||||
format: json
|
||||
scan-ref: .
|
||||
exit-code: 0
|
||||
|
||||
- name: Upload Vulnerability Scan Results
|
||||
uses: actions/upload-artifact@v4
|
||||
with:
|
||||
name: trivy-report
|
||||
path: trivy-report.json
|
||||
retention-days: 30
|
||||
|
||||
- name: Fail build on High/Criticial Vulnerabilities
|
||||
uses: aquasecurity/trivy-action@master
|
||||
with:
|
||||
scan-type: "fs"
|
||||
format: table
|
||||
scan-ref: .
|
||||
severity: HIGH,CRITICAL
|
||||
ignore-unfixed: true
|
||||
exit-code: 1
|
||||
# On a subsequent call to the action we know trivy is already installed so can skip this
|
||||
skip-setup-trivy: true
|
||||
```
|
||||
|
||||
### Scanning a Tarball
|
||||
```yaml
|
||||
name: build
|
||||
@@ -206,7 +298,7 @@ jobs:
|
||||
docker save -o vuln-image.tar <your-docker-image>
|
||||
|
||||
- name: Run Trivy vulnerability scanner in tarball mode
|
||||
uses: aquasecurity/trivy-action@0.20.0
|
||||
uses: aquasecurity/trivy-action@0.28.0
|
||||
with:
|
||||
input: /github/workspace/vuln-image.tar
|
||||
severity: 'CRITICAL,HIGH'
|
||||
@@ -234,7 +326,7 @@ jobs:
|
||||
docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
|
||||
|
||||
- name: Run Trivy vulnerability scanner
|
||||
uses: aquasecurity/trivy-action@0.20.0
|
||||
uses: aquasecurity/trivy-action@0.28.0
|
||||
with:
|
||||
image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
|
||||
format: 'sarif'
|
||||
@@ -269,7 +361,7 @@ jobs:
|
||||
docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
|
||||
|
||||
- name: Run Trivy vulnerability scanner
|
||||
uses: aquasecurity/trivy-action@0.20.0
|
||||
uses: aquasecurity/trivy-action@0.28.0
|
||||
with:
|
||||
image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
|
||||
format: 'sarif'
|
||||
@@ -304,7 +396,7 @@ jobs:
|
||||
uses: actions/checkout@v4
|
||||
|
||||
- name: Run Trivy vulnerability scanner in repo mode
|
||||
uses: aquasecurity/trivy-action@0.20.0
|
||||
uses: aquasecurity/trivy-action@0.28.0
|
||||
with:
|
||||
scan-type: 'fs'
|
||||
ignore-unfixed: true
|
||||
@@ -338,7 +430,7 @@ jobs:
|
||||
uses: actions/checkout@v4
|
||||
|
||||
- name: Run Trivy vulnerability scanner with rootfs command
|
||||
uses: aquasecurity/trivy-action@0.20.0
|
||||
uses: aquasecurity/trivy-action@0.28.0
|
||||
with:
|
||||
scan-type: 'rootfs'
|
||||
scan-ref: 'rootfs-example-binary'
|
||||
@@ -373,7 +465,7 @@ jobs:
|
||||
uses: actions/checkout@v4
|
||||
|
||||
- name: Run Trivy vulnerability scanner in IaC mode
|
||||
uses: aquasecurity/trivy-action@0.20.0
|
||||
uses: aquasecurity/trivy-action@0.28.0
|
||||
with:
|
||||
scan-type: 'config'
|
||||
hide-progress: true
|
||||
@@ -417,7 +509,7 @@ jobs:
|
||||
uses: actions/checkout@v4
|
||||
|
||||
- name: Run Trivy in GitHub SBOM mode and submit results to Dependency Graph
|
||||
uses: aquasecurity/trivy-action@0.20.0
|
||||
uses: aquasecurity/trivy-action@0.28.0
|
||||
with:
|
||||
scan-type: 'fs'
|
||||
format: 'github'
|
||||
@@ -448,7 +540,7 @@ jobs:
|
||||
runs-on: ubuntu-20.04
|
||||
steps:
|
||||
- name: Scan image in a private registry
|
||||
uses: aquasecurity/trivy-action@0.20.0
|
||||
uses: aquasecurity/trivy-action@0.28.0
|
||||
with:
|
||||
image-ref: "private_image_registry/image_name:image_tag"
|
||||
scan-type: image
|
||||
@@ -491,7 +583,7 @@ jobs:
|
||||
uses: actions/checkout@v4
|
||||
|
||||
- name: Run Trivy vulnerability scanner
|
||||
uses: aquasecurity/trivy-action@0.20.0
|
||||
uses: aquasecurity/trivy-action@0.28.0
|
||||
with:
|
||||
image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
|
||||
format: 'sarif'
|
||||
@@ -527,7 +619,7 @@ jobs:
|
||||
uses: actions/checkout@v4
|
||||
|
||||
- name: Run Trivy vulnerability scanner
|
||||
uses: aquasecurity/trivy-action@0.20.0
|
||||
uses: aquasecurity/trivy-action@0.28.0
|
||||
with:
|
||||
image-ref: 'aws_account_id.dkr.ecr.region.amazonaws.com/imageName:${{ github.sha }}'
|
||||
format: 'sarif'
|
||||
@@ -563,7 +655,7 @@ jobs:
|
||||
uses: actions/checkout@v4
|
||||
|
||||
- name: Run Trivy vulnerability scanner
|
||||
uses: aquasecurity/trivy-action@0.20.0
|
||||
uses: aquasecurity/trivy-action@0.28.0
|
||||
with:
|
||||
image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
|
||||
format: 'sarif'
|
||||
@@ -596,7 +688,7 @@ jobs:
|
||||
uses: actions/checkout@v4
|
||||
|
||||
- name: Run Trivy vulnerability scanner
|
||||
uses: aquasecurity/trivy-action@0.20.0
|
||||
uses: aquasecurity/trivy-action@0.28.0
|
||||
with:
|
||||
image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
|
||||
format: 'sarif'
|
||||
@@ -619,7 +711,7 @@ This step is especially useful for private repositories without [GitHub Advanced
|
||||
|
||||
```yaml
|
||||
- name: Run Trivy scanner
|
||||
uses: aquasecurity/trivy-action@0.20.0
|
||||
uses: aquasecurity/trivy-action@0.28.0
|
||||
with:
|
||||
scan-type: config
|
||||
hide-progress: true
|
||||
@@ -659,7 +751,7 @@ Following inputs can be used as `step.with` keys:
|
||||
| `input` | String | | Tar reference, e.g. `alpine-latest.tar` |
|
||||
| `image-ref` | String | | Image reference, e.g. `alpine:3.10.2` |
|
||||
| `scan-ref` | String | `/github/workspace/` | Scan reference, e.g. `/github/workspace/` or `.` |
|
||||
| `format` | String | `table` | Output format (`table`, `json`, `sarif`, `github`) |
|
||||
| `format` | String | `table` | Output format (`table`, `json`, `template`, `sarif`, `cyclonedx`, `spdx`, `spdx-json`, `github`, `cosign-vuln`) |
|
||||
| `template` | String | | Output template (`@/contrib/gitlab.tpl`, `@/contrib/junit.tpl`) |
|
||||
| `tf-vars` | String | | path to Terraform variables file |
|
||||
| `output` | String | | Save results to a file |
|
||||
@@ -669,18 +761,19 @@ Following inputs can be used as `step.with` keys:
|
||||
| `severity` | String | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | Severities of vulnerabilities to scanned for and displayed |
|
||||
| `skip-dirs` | String | | Comma separated list of directories where traversal is skipped |
|
||||
| `skip-files` | String | | Comma separated list of files where traversal is skipped |
|
||||
| `cache-dir` | String | `$GITHUB_WORKSPACE/.cache/trivy` | Cache directory |
|
||||
| `cache-dir` | String | `$GITHUB_WORKSPACE/.cache/trivy` | Cache directory. NOTE: This value cannot be configured by `trivy.yaml`. |
|
||||
| `timeout` | String | `5m0s` | Scan timeout duration |
|
||||
| `ignore-policy` | String | | Filter vulnerabilities with OPA rego language |
|
||||
| `hide-progress` | String | `false` | Suppress progress bar and log output |
|
||||
| `list-all-pkgs` | String | | Output all packages regardless of vulnerability |
|
||||
| `scanners` | String | `vuln,secret` | comma-separated list of what security issues to detect (`vuln`,`secret`,`config`) |
|
||||
| `scanners` | String | `vuln,secret` | comma-separated list of what security issues to detect (`vuln`,`secret`,`misconfig`,`license`) |
|
||||
| `trivyignores` | String | | comma-separated list of relative paths in repository to one or more `.trivyignore` files |
|
||||
| `trivy-config` | String | | Path to trivy.yaml config |
|
||||
| `github-pat` | String | | Authentication token to enable sending SBOM scan results to GitHub Dependency Graph. Can be either a GitHub Personal Access Token (PAT) or GITHUB_TOKEN |
|
||||
| `limit-severities-for-sarif` | Boolean | false | By default *SARIF* format enforces output of all vulnerabilities regardless of configured severities. To override this behavior set this parameter to **true** |
|
||||
| `docker-host` | String | | By default it is set to `unix://var/run/docker.sock`, but can be updated to help with containerized infrastructure values |
|
||||
| `version` | String | `v0.56.1` | Trivy version to use, e.g. `latest` or `v0.56.1` |
|
||||
| `skip-setup-trivy` | Boolean | false | Skip calling the `setup-trivy` action to install `trivy` |
|
||||
|
||||
### Environment variables
|
||||
You can use [Trivy environment variables][trivy-env] to set the necessary options (including flags that are not supported by [Inputs](#inputs), such as `--secret-config`).
|
||||
|
||||
71
action.yaml
71
action.yaml
@@ -103,13 +103,20 @@ inputs:
|
||||
description: 'Used to specify whether caching is needed. Set to false, if you would like to disable caching.'
|
||||
required: false
|
||||
default: 'true'
|
||||
skip-setup-trivy:
|
||||
description: 'skip calling the setup-trivy action to install trivy'
|
||||
required: false
|
||||
default: 'false'
|
||||
|
||||
runs:
|
||||
using: 'composite'
|
||||
steps:
|
||||
- name: Install Trivy
|
||||
shell: bash
|
||||
run: curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin ${{ inputs.version }}
|
||||
if: ${{ inputs.skip-setup-trivy == 'false' }}
|
||||
uses: aquasecurity/setup-trivy@v0.2.1
|
||||
with:
|
||||
version: ${{ inputs.version }}
|
||||
cache: ${{ inputs.cache }}
|
||||
|
||||
- name: Get current date
|
||||
id: date
|
||||
@@ -130,6 +137,45 @@ runs:
|
||||
env:
|
||||
GITHUB_ACTION_PATH: ${{ github.action_path }}
|
||||
|
||||
- name: Set Trivy environment variables
|
||||
shell: bash
|
||||
run: |
|
||||
# Note: There is currently no way to distinguish between undefined variables and empty strings in GitHub Actions.
|
||||
# This limitation affects how we handle default values and empty inputs.
|
||||
# For more information, see: https://github.com/actions/runner/issues/924
|
||||
|
||||
# Function to set environment variable only if the input is provided and different from default
|
||||
set_env_var_if_provided() {
|
||||
local var_name="$1"
|
||||
local input_value="$2"
|
||||
local default_value="$3"
|
||||
|
||||
if [ ! -z "$input_value" ] && [ "$input_value" != "$default_value" ]; then
|
||||
echo "$var_name=$input_value" >> $GITHUB_ENV
|
||||
fi
|
||||
}
|
||||
|
||||
# Set environment variables, handling those with default values
|
||||
# cf. https://aquasecurity.github.io/trivy/latest/docs/configuration/#environment-variables
|
||||
set_env_var_if_provided "TRIVY_INPUT" "${{ inputs.input }}" ""
|
||||
set_env_var_if_provided "TRIVY_EXIT_CODE" "${{ inputs.exit-code }}" ""
|
||||
set_env_var_if_provided "TRIVY_IGNORE_UNFIXED" "${{ inputs.ignore-unfixed }}" "false"
|
||||
set_env_var_if_provided "TRIVY_PKG_TYPES" "${{ inputs.vuln-type }}" "os,library"
|
||||
set_env_var_if_provided "TRIVY_SEVERITY" "${{ inputs.severity }}" "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
|
||||
set_env_var_if_provided "TRIVY_FORMAT" "${{ inputs.format }}" "table"
|
||||
set_env_var_if_provided "TRIVY_TEMPLATE" "${{ inputs.template }}" ""
|
||||
set_env_var_if_provided "TRIVY_OUTPUT" "${{ inputs.output }}" ""
|
||||
set_env_var_if_provided "TRIVY_SKIP_DIRS" "${{ inputs.skip-dirs }}" ""
|
||||
set_env_var_if_provided "TRIVY_SKIP_FILES" "${{ inputs.skip-files }}" ""
|
||||
set_env_var_if_provided "TRIVY_TIMEOUT" "${{ inputs.timeout }}" ""
|
||||
set_env_var_if_provided "TRIVY_IGNORE_POLICY" "${{ inputs.ignore-policy }}" ""
|
||||
set_env_var_if_provided "TRIVY_QUIET" "${{ inputs.hide-progress }}" ""
|
||||
set_env_var_if_provided "TRIVY_LIST_ALL_PKGS" "${{ inputs.list-all-pkgs }}" "false"
|
||||
set_env_var_if_provided "TRIVY_SCANNERS" "${{ inputs.scanners }}" ""
|
||||
set_env_var_if_provided "TRIVY_CONFIG" "${{ inputs.trivy-config }}" ""
|
||||
set_env_var_if_provided "TRIVY_TF_VARS" "${{ inputs.tf-vars }}" ""
|
||||
set_env_var_if_provided "TRIVY_DOCKER_HOST" "${{ inputs.docker-host }}" ""
|
||||
|
||||
- name: Run Trivy
|
||||
shell: bash
|
||||
run: entrypoint.sh
|
||||
@@ -145,23 +191,4 @@ runs:
|
||||
INPUT_LIMIT_SEVERITIES_FOR_SARIF: ${{ inputs.limit-severities-for-sarif }}
|
||||
|
||||
# For Trivy
|
||||
# cf. https://aquasecurity.github.io/trivy/latest/docs/configuration/#environment-variables
|
||||
TRIVY_INPUT: ${{ inputs.input }}
|
||||
TRIVY_EXIT_CODE: ${{ inputs.exit-code }}
|
||||
TRIVY_IGNORE_UNFIXED: ${{ inputs.ignore-unfixed }}
|
||||
TRIVY_PKG_TYPES: ${{ inputs.vuln-type }}
|
||||
TRIVY_SEVERITY: ${{ inputs.severity }}
|
||||
TRIVY_FORMAT: ${{ inputs.format }}
|
||||
TRIVY_TEMPLATE: ${{ inputs.template }}
|
||||
TRIVY_OUTPUT: ${{ inputs.output }}
|
||||
TRIVY_SKIP_DIRS: ${{ inputs.skip-dirs }}
|
||||
TRIVY_SKIP_FILES: ${{ inputs.skip-files }}
|
||||
TRIVY_CACHE_DIR: ${{ inputs.cache-dir }}
|
||||
TRIVY_TIMEOUT: ${{ inputs.timeout }}
|
||||
TRIVY_IGNORE_POLICY: ${{ inputs.ignore-policy }}
|
||||
TRIVY_QUIET: ${{ inputs.hide-progress }}
|
||||
TRIVY_LIST_ALL_PKGS: ${{ inputs.list-all-pkgs }}
|
||||
TRIVY_SCANNERS: ${{ inputs.scanners }}
|
||||
TRIVY_CONFIG: ${{ inputs.trivy-config }}
|
||||
TRIVY_TF_VARS: ${{ inputs.tf-vars }}
|
||||
TRIVY_DOCKER_HOST: ${{ inputs.docker-host }}
|
||||
TRIVY_CACHE_DIR: ${{ inputs.cache-dir }} # Always set
|
||||
|
||||
Reference in New Issue
Block a user